mythicagents / athena Goto Github PK

root@raspberrypi:/home/pi/Mythic# ./mythic-cli install github https://github.com/MythicAgents/Athena

2024/06/14 09:26:41 [] Creating temporary directory
2024/06/14 09:26:41 [] Cloning https://github.com/MythicAgents/Athena
Cloning into '/home/pi/Mythic/tmp'...
2024/06/14 09:26:43 [] Parsing config.json
[] Processing Payload Type athena
[] athena already exists. Replace current version? [y/n]: y
2024/06/14 09:26:44 [] Stopping current container
2024/06/14 09:26:44 [] Removing current version
2024/06/14 09:26:45 [+] Successfully removed the current version
2024/06/14 09:26:45 [] Copying new version of payload into place
2024/06/14 09:26:45 [] Adding service into docker-compose
2024/06/14 09:26:45 [] Removing old volume, athena_volume, if it exists
No stopped containers
Creating volume "athena_volume" with default driver
WARNING: Found orphan containers (hercules-exercise2, hercules-exercise4, hercules-exercise3, hercules-exercise1, hercules-exercise5) for this project. If you removed or renamed this service in your compose file, you can run this command with the --remove-orphans flag to clean it up.
Pulling athena (ghcr.io/mythicagents/athena:v2.1.4)...
v2.1.4: Pulling from mythicagents/athena
ERROR: no matching manifest for linux/arm64/v8 in the manifest list entries
2024/06/14 09:26:49 [+] Successfully installed service
2024/06/14 09:26:49 [+] Successfully installed c2
2024/06/14 09:26:49 [] Processing Documentation for Athena
[] Athena documentation already exists. Replace current version? [y/n]: y
2024/06/14 09:26:50 [] Removing current version
2024/06/14 09:26:50 [+] Successfully removed the current version
2024/06/14 09:26:50 [] Copying new documentation into place
2024/06/14 09:26:50 [+] Successfully installed Payload documentation
2024/06/14 09:26:50 [+] Successfully installed c2 documentation
2024/06/14 09:26:50 [+] Successfully installed Wrapper documentation
[] Restarting mythic_documentation container to pull in changes
Stopping mythic_documentation ... done
WARNING: Found orphan containers (hercules-exercise3, hercules-exercise2, hercules-exercise1, hercules-exercise4, hercules-exercise5) for this project. If you removed or renamed this service in your compose file, you can run this command with the --remove-orphans flag to clean it up.
Starting mythic_documentation ... done
2024/06/14 09:26:54 [] Waiting for RabbitMQ to come online (Retry Count = 10)
2024/06/14 09:26:54 [] Attempting to connect to RabbitMQ at 127.0.0.1:5672, attempt 1/10
2024/06/14 09:26:54 [+] Successfully connected to RabbitMQ at amqp://mythic_user:**@127.0.0.1:5672/mythic_vhost

2024/06/14 09:26:54 [] Waiting for Mythic Server and Nginx to come online (Retry Count = 10)
2024/06/14 09:26:54 [] Attempting to connect to Mythic UI at https://127.0.0.1:7443, attempt 1/10
2024/06/14 09:26:54 [+] Successfully connected to Mythic at https://127.0.0.1:7443

MYTHIC SERVICE WEB ADDRESS BOUND LOCALLY
Nginx (Mythic Web UI) https://127.0.0.1:7443 false
Mythic Backend Server http://127.0.0.1:17443 true
Hasura GraphQL Console http://127.0.0.1:8080 true
Jupyter Console http://127.0.0.1:8888 true
Internal Documentation http://127.0.0.1:8090 true

ADDITIONAL SERVICES ADDRESS BOUND LOCALLY
Postgres Database postgresql://mythic_user:[email protected]:5432/mythic_db true
React Server http://127.0.0.1:3000/new true
RabbitMQ amqp://mythic_user:[email protected]:5672 true

Mythic Main Services
CONTAINER NAME STATE STATUS MOUNT PORTS
mythic_documentation running Up Less than a second (health: starting) local 8090/tcp -> 127.0.0.1:8090
mythic_graphql running Up 11 hours (healthy) N/A 8080/tcp -> 127.0.0.1:8080
mythic_jupyter running Up 11 hours (healthy) local 8888/tcp -> 127.0.0.1:8888
mythic_nginx running Up 11 hours (healthy) local 7443/tcp -> :::7443, 7443
mythic_postgres running Up 11 hours (healthy) local 5432/tcp -> 127.0.0.1:5432
mythic_rabbitmq running Up 11 hours (healthy) local 5672/tcp -> 127.0.0.1:5672
mythic_react running Up 11 hours (healthy) local 3000/tcp -> 127.0.0.1:3000
mythic_server running Up 11 hours (healthy) local 7000/tcp -> :::7000, 7001/tcp -> :::7001, 7002/tcp -> :::7002, 7003/tcp -> :::7003, 7004/tcp -> :::7004, 7005/tcp -> :::7005, 7006/tcp -> :::7006, 7007/tcp -> :::7007, 7008/tcp -> :::7008, 7009/tcp -> :::7009, 7010/tcp -> :::7010, 17443/tcp -> 127.0.0.1:17443, 17444/tcp -> 127.0.0.1:17444, 7000, 7001, 7002, 7003, 7004, 7005, 7006, 7007, 7008, 7009, 7010

Installed Services
CONTAINER NAME STATE STATUS MOUNT
apfell running Up 10 hours apfell_volume
atlas restarting Restarting (1) Less than a second ago local
discord running Up 11 hours local
dns running Up 11 hours local
hercules-Exercise1 restarting Restarting (0) 11 seconds ago local
hercules-Exercise2 created Created local
hercules-Exercise3 created Created local
hercules-Exercise4 created Created local
hercules-Exercise5 created Created local
hercules_c2 created Created local
hercules_translator created Created local
hermes restarting Restarting (1) 28 seconds ago local
http running Up 11 hours http_volume
httpx running Up 11 hours httpx_volume
jamfserver running Up 20 minutes local
leviathan running Up About an hour local
medusa running Up About an hour local
poseidon running Up 10 hours poseidon_volume
scarecrow_wrapper running Up About an hour local
sliverapi running Up 11 hours sliverapi_volume
sliverimplant running Up 11 hours sliverimplant_volume
tcp running Up 11 hours local
thanatos restarting Restarting (1) 32 seconds ago thanatos_volume
typhon running Up 20 minutes local

2024/06/14 09:26:54
[] RabbitMQ is currently listening on localhost. If you have a remote Service, they will be unable to connect (i.e. one running on another server)
2024/06/14 09:26:54
Use 'sudo ./mythic-cli config set rabbitmq_bind_localhost_only false' and restart mythic ('sudo ./mythic-cli restart') to change this
2024/06/14 09:26:54
[] MythicServer is currently listening on localhost. If you have a remote Service, they will be unable to connect (i.e. one running on another server)
2024/06/14 09:26:54
Use 'sudo ./mythic-cli config set mythic_server_bind_localhost_only false' and restart mythic ('sudo ./mythic-cli restart') to change this
2024/06/14 09:26:54 [*] If you are using a remote PayloadType or C2Profile, they will need certain environment variables to properly connect to Mythic.
2024/06/14 09:26:54 Use 'sudo ./mythic-cli config service' for configs for these services.
[+] Successfully installed service!
root@raspberrypi:/home/pi/Mythic#

Desktop

• OS: Raspberry Pi OS Full (64-bit)
• Browser Chromium
• Version: Latest

After cloning new mythic, http, and athena, and creating a payload with defaults, I get the following build error:

STDERR:
Error building payload: Traceback (most recent call last):
  File "/Mythic/athena/mythic/agent_functions/builder.py", line 378, in build
    build_msg += "Adding {} profile...".format(profile["name"]) + '\n'
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
FileNotFoundError: [Errno 2] No such file or directory: '/tmp/tmpwnltg8yh0f0eb337-3264-4f55-902b-552f234ce0c6/Athena/bin/Release/net7.0/win-x64/publish//http.json'

I believe it's because the full directory path on the way to {profile}.json may not exist yet

Describe the bug
Default settings athena payload with slack profile does not compile.

the error:

Traceback (most recent call last):
File "/Mythic/athena/mythic/agent_functions/builder.py", line 369, in build
await self.buildSlack(agent_build_path, c2)
File "/Mythic/athena/mythic/agent_functions/builder.py", line 144, in buildSlack
baseConfigFile = open("{}/Agent.Profiles.Slack/Base.txt".format(agent_build_path.name), "r").read()
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
FileNotFoundError: [Errno 2] No such file or directory: '/tmp/tmp5rba2g65efa69a08-f0d1-45a7-a274-04b8839e533e/Agent.Profiles.Slack/Base.txt'

Logging to the container shows the directory /tmp/tmp5rba2g65efa69a08-f0d1-45a7-a274-04b8839e533e does not exist.

The Athena agent appears to be dropping network packets causing proxy and uploads to fail in some cases.

1. When uploading larger binary files 10-20MB I have observed that sometimes the upload fails before completion. The file will be smaller than the original and corrupt. This happens more frequent with larger files and with non-text files. Makes me think that packets are lost or something fails when it encounters a bad character.

2. Noticed that the proxy server is dropping packets causing binary data such as RDP/TLS streams to break when being proxied This is less noticeable when text data is transferred such as http.

Note my agents are not using the aes message encryption, so maybe that could contribute?

Describe the bug
In a clean new mythic install the athena container is constantly restarting

To Reproduce
Steps to reproduce the behavior:

1. Install mythic
2. Install athena via sudo ./mythic-cli install github https://github.com/MythicAgents/Athena
3. Show Logs via sudo ./mythic-cli logs athena
4. See error:

Traceback (most recent call last):
  File "/Mythic/main.py", line 5, in <module>
    p = subprocess.Popen(["dotnet", "build", "--verbosity=q", "--nologo"], cwd="/Mythic/athena/agent_code/AthenaPlugins")
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/subprocess.py", line 1024, in __init__
    self._execute_child(args, executable, preexec_fn, close_fds,
  File "/usr/local/lib/python3.11/subprocess.py", line 1917, in _execute_child
    raise child_exception_type(errno_num, err_msg, err_filename)
FileNotFoundError: [Errno 2] No such file or directory: 'dotnet'
Traceback (most recent call last):
  File "/Mythic/main.py", line 5, in <module>
    p = subprocess.Popen(["dotnet", "build", "--verbosity=q", "--nologo"], cwd="/Mythic/athena/agent_code/AthenaPlugins")
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Expected behavior
athena should start

Desktop (please complete the following information):

• latest Kali
• latest Firefox

Additional context

looks like main.py does not find the dotnet binary in the itsafeaturemythic/mythic_python_dotnet:latest Image

I fixed it with a full path in main.py

cat main.py   
import mythic_container
from athena.mythic import *
import subprocess

p = subprocess.Popen(["/root/.dotnet/dotnet", "build", "--verbosity=q", "--nologo"], cwd="/Mythic/athena/agent_code/AthenaPlugins")

mythic_container.mythic_service.start_and_run_forever()

Path parsing is broken in Linux and Mac when using the FileBrowser

parent is returning "" when it should probably be returning "/"

Due to this file browser reports the path as "etc\ModemManager"

Starts working again once you're out of the base directory (via filebrowser)

likely fixes
1.) Properly handle path's where it's just /
2.) When parent is "" or "/" return the parent as "//" to unfuck things

Describe the bug
Hi,

shell

the command is showing some errors while providing it a simple command such ls -la

after a small talk with you on Slack, while running "shell" without any command and Task it empty, it will open an interactive shell that works properly.

exec

this command though, didn't work for me at all. i might doing it wrong, but this issue is for it as you asked :)

Expected behavior
shell command - disable any other input/parameters, and open interactive shell directly. I think this window is not required:

exec command - to work properly :)

Desktop:

• OS: macOS x64

Agent Config

Describe the bug
When running the coff command, a new thread is spun up without specifying LPSECURITY_ATTRIBUTES, the default behavior of this function is to use the token of the calling process, rather than the impersonated thread.

https://github.com/MythicAgents/Athena/blob/dev/Payload_Type/athena/athena/agent_code/AthenaPlugins/coff/coff/BofRunner.cs#L83

Fix: Since the task is already being spun up in a new thread, could I potentially just change the entry point to a delegate function and just execute it directly that way?

Describe the bug

Athena will crash after timeout period for bof related commands
   - Need to figure out how to fix this
Athena prints debug messages due to bof loader
   - This is due to the issue over at https://github.com/nettitude/RunOF/issues/2 until I'm able to figure out how to rebuild the bof_funcs I need to use their precompiled one
COFF Related commands must be "preloaded" even though it really doesn't do anything
   - Might mark these as preloaded and add a preflight check to make sure coff is loaded beforehand

Created Athena payload, ran on the host, crashed with the following error:

Unhandled exception. System.UriFormatException: Invalid URI: The format of the URI could not be determined.
   at System.Uri.CreateThis(String uri, Boolean dontEscape, UriKind uriKind, UriCreationOptions& creationOptions)
   at System.Uri..ctor(String uriString)
   at Athena.Config.HTTP..ctor(String uuid) in /tmp/tmptxjoypu_00572087-df47-4fbe-9fd6-f8221c348623/Athena/Config/MythicConfig.cs:line 71
   at Athena.Config.MythicConfig..ctor() in /tmp/tmptxjoypu_00572087-df47-4fbe-9fd6-f8221c348623/Athena/Config/MythicConfig.cs:line 30
   at Athena.MythicClient..ctor() in /tmp/tmptxjoypu_00572087-df47-4fbe-9fd6-f8221c348623/Athena/MythicClient.cs:line 21
   at Athena.Program.Main(String[] args) in /tmp/tmptxjoypu_00572087-df47-4fbe-9fd6-f8221c348623/Athena/Program.cs:line 21

Note that the agent was not configured with any proxy values, so in theory they should have been blank values.

I created a fork, commented out the offending code, and pulled in my modified agent, and it then works without crashing.

The changes can be seen here:
https://github.com/woanware/Athena/commit/cade6aef61eaf8ca689c73ac9972aeb917599554

Describe the bug
After installing the latest Athena profile into the latest Mythic, the following messages appear in the Mythic logs:

athena:get-sessions - Failed to find ATT&CK TNum: T0840
athena:test-port - Failed to find ATT&CK TNum: T1423
athena:net-view - Failed to find ATT&CK TNum: T0840

To Reproduce
Steps to reproduce the behavior:

1. Install latest Mythic
2. Install latest Athena

Expected behavior
No C2 errors in the logs on startup

In a similar way to #21

I could possibly include all of the strings as an embedded resource and have them encrypted and have the strings associated by their config location.

Alternatively, I could encrypt them at compile time and modify the task callback functions to decrypt messages before returning them to mythic.

When uploading files with a fast enough sleep time sometimes, the handle won't be closed in time before the next chunk arrives to the agent:

Failed to process message.System.IO.IOException: The process cannot access the file 'C:\Users\myuser\Desktop\Athena.exe' because it is being used by another process.
   at Microsoft.Win32.SafeHandles.SafeFileHandle.CreateFile(String fullPath, FileMode mode, FileAccess access, FileShare share, FileOptions options)
   at Microsoft.Win32.SafeHandles.SafeFileHandle.Open(String fullPath, FileMode mode, FileAccess access, FileShare share, FileOptions options, Int64 preallocationSize, Nullable`1 unixCreateMode)
   at System.IO.Strategies.OSFileStreamStrategy..ctor(String path, FileMode mode, FileAccess access, FileShare share, FileOptions options, Int64 preallocationSize, Nullable`1 unixCreateMode)
   at Agent.Plugin. (Byte[], String)

Likely cause is chunks arriving quicker than the handle is able to be closed by the OS, need to add some locking or waiting to fix

Ever since the rewrite keylogger has been kitchy, try to figure out why.

Describe the bug
Starting the SOCKS functionality on a Linux deployment of the Athena agent causes CPU utilisation for the Athena process on the agent host to jump to 100%. This persists even if the SOCKS module is stopped. Tested on Ubuntu 16.04 and 20.04 using both the websocket and http C2 profiles.

To Reproduce
Steps to reproduce the behavior:

1. Generate an Athena agent for Linux. I chose all default build parameters, included the socks command to be built into the agent, and included either the websocket or the http C2 profile
2. Launch the agent on the target Linux system and wait for the active callback
3. Set sleep delay and jitter to 0 and 0 using the 'sleep' command to provide effective channel for SOCKS traffic
4. Monitor CPU utilisation using 'top' on the Linux system running the agent while running a few random commands on the agent through from the Mythic UI to simulate activity - utilisation on the Athena process is around 1-4% at this point during my testing
5. Run the 'socks' command on the agent to start a SOCKS proxy on port 7000 or similar - observe utilisation on the Athena process which immediately jumps to around 100%
6. Stop the SOCKS proxy using the 'socks stop' command. Observe utilisation on the Athena process which remains at around 100% until the process is killed

Expected behavior
CPU utilisation for the process is less than 100%

Happy to provide more info as required

Is your feature request related to a problem? Please describe.

Seems that I am unable to do communication over https with Athena. I'm new to Mythic so maybe I am missing something.
I am trying to use Athena to callback to a Kali located on aws using the IPv4 DNS such as https://ec2-xx-xx-xx-xx.region.compute.amazonaws.com and port 443 but seems that I am unable (no callback received).
It works over http & port 80

Describe the solution you'd like
A secure connection from a remote machine.

Describe alternatives you've considered

Maybe other communication channel but does not seem straightforward.

Additional context
Mythic v2.3.13
Latest Athena git (21.10.2022)

https://docs.mythic-c2.net/customizing/hooking-features/artifacts

Plugins that would need support:
exec
inject-shellcode
shell
cursed
upload
download
crop
kill
mkdir
cp
rm
mv
timestomp(?)
sftp
ssh
token

Stop function not implemented for plugins such as screenshot since 2.0 update.

Describe the bug
When using an SMB agent, large messages are not forwarded by the egress agent. The egress agent will instead experience an error:

Binary stream '0' does not contain a valid BinaryHeader. Possible causes are invalid stream or object version change between serialization and deserialization.
The input stream is not a valid binary format. The starting contents (in bytes) are: 46-68-59-57-46-68-59-57-46-68-59-57-46-68-59-57-46 ...
The input stream is not a valid binary format. The starting contents (in bytes) are: 46-68-59-57-46-68-59-57-46-68-59-57-46-68-59-57-46 ...
The input stream is not a valid binary format. The starting contents (in bytes) are: 46-68-59-57-46-68-59-57-46-68-59-57-46-68-59-57-46 ...

To Reproduce
Steps to reproduce the behavior:

1. Spawn an Agent
2. Task it to load the cat command
3. cat a large file
4. Agent won't respond

Expected behavior
The contents of the file be forwarded to the Mythic server

Hey,

did a quick lookup on the code and was wondering why the agent Program.cs contains this:

class Program
    {
        /// <summary>
        /// Main loop
        /// </summary>
        static void Main(string[] args)
        {
            AsyncMain().GetAwaiter().GetResult();
        }
        
        /// <summary>
        /// Main Loop (Async)
        /// </summary>
        static async Task AsyncMain() 
        { 
            //MythicClient controls all of the agent communications
            AthenaClient ac = new AthenaClient();

            if(!await ac.CheckIn())
            {
                Debug.WriteLine($"[{DateTime.Now}] Failed to update agent info, exiting.");
                Environment.Exit(0);
            }

            //Will need to add checkin to the initial client checkin
            while (!ac.exit)
            {
                await ac.profile.StartBeacon();
            }
        }
    }

instead of this:

class Program
    {
        /// <summary>
        /// Main Loop (Async)
        /// </summary>
        static async Task Main() 
        { 
            //MythicClient controls all of the agent communications
            AthenaClient ac = new AthenaClient();

            if(!await ac.CheckIn())
            {
                Debug.WriteLine($"[{DateTime.Now}] Failed to update agent info, exiting.");
                Environment.Exit(0);
            }

            //Will need to add checkin to the initial client checkin
            while (!ac.exit)
            {
                await ac.profile.StartBeacon();
            }
        }
    }

Big Sur requires executables to be signed to be run on M1. dotnet publish -r osx-arm64 will produce unsigned binaries. You will need to sign the published binary before it will run (Unless you are running with Apple SIP disabled and in developer mode).

You can sign the binaries with the Apple codesign tool. A simple adhoc signature would be sufficient for you to test. codesign -s - .

We will need to document this somewhere. It is possible we should have the dotnet publish notify the user of the need to sign the apphost.

This probably needs to be transferred back to the SDK if we want to change publish behavior.

Can probably be done with a process_response key and this RPC call https://github.com/MythicMeta/MythicContainerPyPi/blob/main/mythic_container/MythicGoRPC/send_mythic_rpc_filebrowser_create.py

Running config -sleep int -jitter int may cause upload/download to stop functioning?

Need to explore more

Describe the bug
Athena window doesn't hide on Windows

To Reproduce
Steps to reproduce the behavior:

1. Generate an Athena payload for Windows
2. Run on Windows

Expected behavior
The console window hides

Desktop (please complete the following information):

• OS: Windows

Agent Config

• All

Currently Athena uses a mix of PInvoke and HInvoke,

I should convert all the calls to HInvoke, in addition to centralizing all of the calls for the plugins

Hi,

Is there any way to add multiple hosts for callback for the same agent? also is there any way to add multiple communication channels and ports such as http and https for the same agent?
such as http://domain1.com:80,http://domain2.org:80, https://domain1.com:443,https://domain2.com:8080

Thank you

Latest Athena agent on latest Mythic is missing some Mitre IDs:

Is your feature request related to a problem? Please describe.
A clear and concise description of what the problem is. Ex. I'm always frustrated when [...]

Describe the solution you'd like
A clear and concise description of what you want to happen.

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.

C2 Profile parameters are currently stored within the executable in plaintext. This makes it trivial to pull agent configuration information out of the agent.

I should add obfuscation to c2 profiles that encrypt with a specified key (maybe make it as part of execution guardrails a la DiscerningFinch or by using the default AESPSK generated by the profile)

I can either keep this decrypted in memory, or encrypt and decrypt it at will during sleep/run scenarios.

This likely should also be included as part of a larger obfuscation effort (at the very least renaming classes, methods, and other indicators)

The main points:

• Encrypt/Obfuscate the default profile options within the agent (e.g. the callback URL)
  • Determine how key will be generated used for encryption (e.g. how difficult do we want it to be to pull out the AESPSK?)
• Add obfuscation to the underlying code using a tool such as ConfuserEx2 (maybe just in rename mode?)
• Implement a more secure way to store the c2 config (e.g. encrypted embedded resource that gets deserialized into its appropriate struct?, egg hunting?)

Going to look into implementing my own "fix" for this, but first wanted to ask if this was intentional or if I was missing something.

I'm trying to add a REG_DWORD registry key but the RegistryAdd function seems to only parse arguments as a String (resulting in the data kind of REG_SZ)

string RegistryAdd(string KeyName, string keyPath, string KeyValue, string RemoteAddr, out bool error)

Is there a reason why you don't use the RegistryValueKind overload?
The RegistryKey.SetValue method can infer a DWORD from an integer input, but Athena seems to pass the KeyValue as a string.

If this is functionality that would be of use, I'd be happy to make a pull request with my own (potentially janky) implementation.

Describe the bug
Freshly generated agent cannot run on standard Windows 10 machine, displaying the following error:

I dedicated time to generate various executables with different "Target architecture" options, but the result was unchanged.

To Reproduce
Steps to reproduce the behavior:

1. Go to "https://127.0.0.1:7443/new/payloads"
2. Click on "ACTIONS -> Generate New Payload"
3. Chose "Windows" -> Next -> "Athena" on the dropdown.
4. Copy the following options and click "NEXT":
   
5. Click next on "Build Commands Into Agent"
6. Turn http profile, fill in your settings and click "NEXT"
7. Rename athena.zip to athena.exe and ship it to Windows 10 machine.
8. Try to execute it.

Expected behavior
After executing the implant, I should receive a callback on Mythic UI. During the time of the testing, no AV software is running on my Windows 10 system (21H1)

Describe the bug
Athena callback to HTTP C2 profile with SSL enabled fails to connect.

C2 profile config without SSL:

{
  "instances": [
  {
    "ServerHeaders": {
      "Server": "NetDNA-cache/2.2",
      "Cache-Control": "max-age=0, no-cache",
      "Pragma": "no-cache",
      "Connection": "keep-alive",
      "Content-Type": "application/javascript; charset=utf-8"
    },
    "port": 80,
    "key_path": "privkey.pem",
    "cert_path": "fullchain.pem",
    "debug": true,
    "use_ssl": false,
    "payloads": {}
    }
  ]
}

Athena payload config without SSL:

{
    "payload_type": "athena",
    "c2_profiles": [
        {
            "c2_profile": "http",
            "c2_profile_parameters": {
                "query_path_name": "q",
                "proxy_host": "",
                "proxy_port": "",
                "proxy_user": "",
                "proxy_pass": "",
                "callback_interval": "60",
                "callback_port": "80",
                "killdate": "2023-11-14",
                "encrypted_exchange_check": "T",
                "callback_jitter": "23",
                "headers": [
                    {
                        "name": "User-Agent",
                        "key": "User-Agent",
                        "value": "Mozilla\/5.0 (Windows NT 6.3; Trident\/7.0; rv:11.0) like Gecko"
                    }
                ],
                "AESPSK": "aes256_hmac",
                "callback_host": "http:\/\/44.199.202.148",
                "get_uri": "index",
                "post_uri": "data"
            }
        }
    ],
    "commands": [
        "load-assembly",
        "reset-assembly-context",
        "exit",
        "download",
        "unload",
        "jobkill",
        "stop-assembly",
        "sleep",
        "load",
        "link",
        "jobs",
        "load-module",
        "upload",
        "socks",
        "unlink",
        "execute-assembly",
        "token"
    ],
    "selected_os": "Windows",
    "tag": "Created by mythic_admin at 11\/14\/2022 23:55:13 UTC",
    "wrapper": false,
    "build_parameters": [
        {
            "name": "self-contained",
            "value": "True"
        },
        {
            "name": "trimmed",
            "value": "False"
        },
        {
            "name": "compressed",
            "value": "True"
        },
        {
            "name": "ready-to-run",
            "value": "False"
        },
        {
            "name": "single-file",
            "value": "True"
        },
        {
            "name": "rid",
            "value": "win-x64"
        },
        {
            "name": "forwarder-type",
            "value": "none"
        },
        {
            "name": "configuration",
            "value": "Release"
        },
        {
            "name": "native-aot",
            "value": "False"
        },
        {
            "name": "output-type",
            "value": "exe"
        }
    ],
    "filename": "athena.zip"
}

Athena callback without SSL debug output:

agent_message request from: http://44.199.202.148/data with {} and <Header('host': '44.199.202.148', 'user-agent': 'Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko', 'content-type': 'text/plain; charset=utf-8', 'content-length': '560')>
 and URI: 
Forwarding along to: http://mythic_server:17443/api/v1.4/agent_message
[2022-11-15 00:02:22 +0000] - (sanic.access)[INFO][35.83.212.242:49802]: POST http://44.199.202.148/data  200 284
agent_message request from: http://44.199.202.148/data with {} and <Header('host': '44.199.202.148', 'user-agent': 'Mozilla/5.0 (Windows NT 6.3; Trident/7.0; rv:11.0) like Gecko', 'content-type': 'text/plain; charset=utf-8', 'content-length': '240')>
 and URI: 
Forwarding along to: http://mythic_server:17443/api/v1.4/agent_message
[2022-11-15 00:02:22 +0000] - (sanic.access)[INFO][35.83.212.242:49802]: POST http://44.199.202.148/data  200 220

C2 profile config with SSL:

{
  "instances": [
  {
    "ServerHeaders": {
      "Server": "NetDNA-cache/2.2",
      "Cache-Control": "max-age=0, no-cache",
      "Pragma": "no-cache",
      "Connection": "keep-alive",
      "Content-Type": "application/javascript; charset=utf-8"
    },
    "port": 443,
    "key_path": "privkey.pem",
    "cert_path": "fullchain.pem",
    "debug": true,
    "use_ssl": true,
    "payloads": {}
    }
  ]
}

Athena payload config with SSL:

{
    "payload_type": "athena",
    "c2_profiles": [
        {
            "c2_profile": "http",
            "c2_profile_parameters": {
                "query_path_name": "q",
                "proxy_host": "",
                "proxy_port": "",
                "proxy_user": "",
                "proxy_pass": "",
                "callback_interval": "10",
                "callback_port": "443",
                "killdate": "2023-11-15",
                "encrypted_exchange_check": "T",
                "callback_jitter": "23",
                "headers": [
                    {
                        "name": "User-Agent",
                        "key": "User-Agent",
                        "value": "Mozilla\/5.0 (Windows NT 6.3; Trident\/7.0; rv:11.0) like Gecko"
                    }
                ],
                "AESPSK": "aes256_hmac",
                "callback_host": "https:\/\/44.199.202.148",
                "get_uri": "index",
                "post_uri": "data"
            }
        }
    ],
    "commands": [
        "load-assembly",
        "reset-assembly-context",
        "exit",
        "download",
        "unload",
        "jobkill",
        "stop-assembly",
        "sleep",
        "load",
        "link",
        "jobs",
        "load-module",
        "upload",
        "socks",
        "unlink",
        "execute-assembly",
        "token"
    ],
    "selected_os": "Windows",
    "tag": "Created by mythic_admin at 11\/15\/2022 00:45:40 UTC",
    "wrapper": false,
    "build_parameters": [
        {
            "name": "self-contained",
            "value": "True"
        },
        {
            "name": "trimmed",
            "value": "False"
        },
        {
            "name": "compressed",
            "value": "True"
        },
        {
            "name": "ready-to-run",
            "value": "False"
        },
        {
            "name": "single-file",
            "value": "True"
        },
        {
            "name": "rid",
            "value": "win-x64"
        },
        {
            "name": "forwarder-type",
            "value": "none"
        },
        {
            "name": "configuration",
            "value": "Release"
        },
        {
            "name": "native-aot",
            "value": "False"
        },
        {
            "name": "output-type",
            "value": "exe"
        }
    ],
    "filename": "athena.zip"
}

Athena callback with SSL debug output:

[2022-11-15 00:48:00 +0000] - (sanic.access)[INFO][UNKNOWN]: NONE https:///*  404 41
[2022-11-15 00:48:00 +0000] - (sanic.access)[INFO][UNKNOWN]: NONE https:///*  404 41
[2022-11-15 00:48:09 +0000] - (sanic.access)[INFO][UNKNOWN]: NONE https:///*  404 41

To Reproduce
Steps to reproduce the behavior:
Start an HTTP C2 profile with SSL enabled.
Create an Athena payload associated with the HTTP C2 profile.
Enter the proper callback host and port information.
Submit the payload for build.
Download and execute the Athena payload on a host and wait for the callback.

Expected behavior
The payload should connect and create an active callback.

Screenshots
None

Desktop (please complete the following information):

• OS: Windows Server 2019

Agent Config
See agent config above.

Additional context
None

When trying to start a socks proxy on port 7004 I get the following server side error from the socks.py agent_functions script. Using a fresh clone of Athena and Mythic 3.0.0.

[STDOUT]:

[STDERR]:
Traceback (most recent call last):
File "/usr/local/lib/python3.11/site-packages/mythic_container/agent_utils.py", line 331, in createTasking
createTaskingResponse = await cmd.create_tasking(task=task)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/Mythic/athena/mythic/agent_functions/socks.py", line 60, in create_tasking
stop_res = await SendMythicRPCProxyStopCommand(port=task.args.get_arg("port"), task_id=task.id)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
TypeError: SendMythicRPCProxyStopCommand() got an unexpected keyword argument 'port'

Apollo agent's socks is working as expected and calls the SendMythicRPCProxyStartCommand differently than the athena script.
https://github.com/MythicAgents/Apollo/blob/master/Payload_Type/apollo/apollo/mythic/agent_functions/socks.py

    resp = await SendMythicRPCProxyStartCommand(MythicRPCProxyStartMessage(
        TaskID=taskData.Task.ID,
        PortType="socks",
        LocalPort=taskData.args.get_arg("port")
    ))

using the HKEY_CURRENT_USER breaks the reg command

reg {"action":"query","keyPath":"HKEY_CURRENT_USER\Software\SimonTatham\PuTTY\Sessions\","keyName":"","keyValue":"","keyType":"string","hostName":""}

Invalid hive selected.

check for all reg hives

Manifest v3 makes some changes in the way cursed operates. May need to look into alternative permissions for v3

Describe the bug
Process exits with an error when run on CentOS

Process terminated. Couldn't find a valid ICU package installed on the system. Please install libicu using your package manager and try again. Alternatively you can set the configuration flag System.Globalization.Invariant to true if you want to run with no globalization support. Please see https://aka.ms/dotnet-missing-libicu for more information.
   at System.Environment.FailFast(System.String)
   at System.Globalization.GlobalizationMode+Settings..cctor()
   at System.Globalization.CultureData.CreateCultureWithInvariantData()
   at System.Globalization.CultureData.get_Invariant()
   at System.Globalization.CultureInfo..cctor()
   at System.Globalization.CultureInfo.get_CurrentCulture()
   at System.Globalization.DateTimeFormatInfo.get_CurrentInfo()
   at System.DateTime.TryParse(System.String, System.DateTime ByRef)
   at Athena.MythicConfig..ctor()
   at Athena.MythicClient..ctor()
   at Athena.Program+<AsyncMain>d__1.MoveNext()
   at System.Runtime.CompilerServices.AsyncMethodBuilderCore.Start[[Athena.Program+<AsyncMain>d__1, Athena, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null]](<AsyncMain>d__1 ByRef)
   at System.Runtime.CompilerServices.AsyncTaskMethodBuilder.Start[[Athena.Program+<AsyncMain>d__1, Athena, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null]](<AsyncMain>d__1 ByRef)
   at Athena.Program.AsyncMain()
   at Athena.Program.Main(System.String[])
Aborted

To Reproduce
1.) Generate an Athena Agent for Linux
2.) Set your rid to linux-x64 or rhel.8-x64
3.) Execute Athena on the host

Desktop (please complete the following information):
CentOS Version: 3.10.0-693.el7.x86_64 #1 SMP Tue Aug 22 21:09:27 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
Branch main/dev

Agent Config

{
    "payload_type": "athena",
    "c2_profiles": [
        {
            "c2_profile": "http",
            "c2_profile_parameters": {
                "callback_port": "443",
                "killdate": "2023-10-18",
                "encrypted_exchange_check": "T",
                "callback_jitter": "23",
                "headers": [
                    {
                        "name": "User-Agent",
                        "key": "User-Agent",
                        "value": "",
                        "custom": false
                    },
                    {
                        "name": "*",
                        "key": "",
                        "value": "",
                        "custom": true
                    }
                ],
                "AESPSK": "aes256_hmac",
                "callback_host": ""
                "get_uri": "api\/index",
                "post_uri": "api\/data",
                "query_path_name": "q",
                "proxy_host": "",
                "proxy_port": "",
                "proxy_user": "",
                "proxy_pass": "",
                "callback_interval": "10"
            }
        }
    ],
    "commands": [
        "socks",
        "jobkill",
        "load-assembly",
        "jobs",
        "load-module",
        "reset-assembly-context",
        "unload",
        "sleep",
        "exit",
        "upload",
        "execute-assembly",
        "load",
        "unlink",
        "stop-assembly",
        "download"
    ],
    "selected_os": "Linux",
    "tag": "Created by anubis at 10\/19\/2022 18:24:58 UTC",
    "wrapper": false,
    "build_parameters": [
        {
            "name": "self-contained",
            "value": "True"
        },
        {
            "name": "trimmed",
            "value": "False"
        },
        {
            "name": "compressed",
            "value": "True"
        },
        {
            "name": "ready-to-run",
            "value": "False"
        },
        {
            "name": "single-file",
            "value": "True"
        },
        {
            "name": "rid",
            "value": "linux-x64"
        },
        {
            "name": "forwarder-type",
            "value": "smb"
        },
        {
            "name": "configuration",
            "value": "Release"
        },
        {
            "name": "native-aot",
            "value": "False"
        },
        {
            "name": "output-type",
            "value": "exe"
        }
    ],
    "filename": "athena_linux_x64"
}

Additional context
Current dev Athena streamlines the rid process, but removes the RHEL rid, which I'll need to find a way to re-add.